Simon,
Wow, I feel stupid =). I didn't didn't realize all user id's go in radcheck whether it's a group id or not, thank you so much for everything. Your time is greatly appreciated.
Everythings working now, the only thing I need to figure out is how to get the incoming IP address into accounting. Radacct gives the NAS IP Address, as well as the Framed IP Address, but I cannot seem to get the PPP address to display. When I was first setting this up I remember seeing it on the Radius outputs when using radiusd -xx but it doesn't seem to be included in the mySQL schema. It's something I'll have to take a look at, I'm sure there's documentation out there.
Thanks again Simon, I'll be sure to leave ya alone for a few days, hehe.
Chris DeRamus
HQ VPN Administrator
Verizon
301-903-2093
-----Original Message-----
From: Simon [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 30, 2002 10:24 AM
To: [EMAIL PROTECTED]
Subject: Re: Problems with MySQL Auth-Type
On Thu, May 30, 2002 at 09:27:32AM -0400, Deramus, Chris wrote:
> Simon,
>
> I follow what you are saying, I changed a few tables per your suggestions,
> no success. I'm going to copy paste what I have, I apologize in advanced for
> the length of this post.
>
> mysql> select * from radcheck;
> +----+----------+-----------+---------+------+
> | id | UserName | Attribute | Value | op |
> +----+----------+-----------+---------+------+
> | 1 | TestRad | Password | TestRad | := |
> | 2 | Radius | Password | TestRad | := |
> +----+----------+-----------+---------+------+
> 2 rows in set (0.00 sec)
This looks fine.
Since you have cleartext passwords set also make sure that you have
encryption_scheme = clear in the pap section of the modules section in
radiusd.conf.
> mysql> select * from radgroupcheck;
> +----+-----------+-----------------+-------------+------+
> | id | GroupName | Attribute | Value | op |
> +----+-----------+-----------------+-------------+------+
> | 1 | Radius | Password | TestRad | := |
> | 2 | Radius | Auth-Type | PAP | := |
> | 3 | Radius | Framed-Protocol | PPP | == |
> | 4 | Radius | Service-Type | Framed-User | == |
> +----+-----------+-----------------+-------------+------+
> 4 rows in set (0.00 sec)
Remove the row with id = 1.
> mysql> select * from radgroupreply;
> +----+-----------+--------------------+-------------+------+------+
> | id | GroupName | Attribute | Value | op | prio |
> +----+-----------+--------------------+-------------+------+------+
> | 2 | Radius | Framed-Protocol | PPP | == | 0 |
> | 3 | Radius | Service-Type | Framed-User | == | 0 |
> | 1 | Radius | Auth-Type | PAP | := | 0 |
> | 4 | Radius | Framed-Compression | None | == | 0 |
> +----+-----------+--------------------+-------------+------+------+
> 4 rows in set (0.00 sec)
Remove row with id = 1, you don't set auth-type in radgroupreply.
Change all the other op fields to ':='.
Are you sure your NAS wants the above attributes in return? Just making
sure.
> mysql> select * from radgroup
> +----+----------+-----------+
> | id | UserName | GroupName |
> +----+----------+-----------+
> | 1 | TestRad | Radius |
> | 2 | Radius | Radius |
> +----+----------+-----------+
> 2 rows in set (0.00 sec)
This looks fine, if this is actually the usergroup table. Have you
updated the querys in sql.conf to reflect the table name change?
Using 'Radius' as both a username and groupname might get confusing
though.
> I am trying to send out the first authorization/authentication request as
> part of the Radius group. Multiple users will have this group name and group
> password. Next I want the user TestRad to authenticate himself. After these
> two authentication requests pass through, everything *should* be okay.
I think the whole group thing in your vpn-concentrator is what's
confusing the whole issue. I _believe_ though i could ofcourse be wrong,
that your NAS will just send a "normal" radius auth packet when it wants
to authenticate the group, Ie. User-Name = "groupname". The whole group
bit used in the freeradius sql tables are just used internally by the
rlm_sql* modules for easier grouping handling of accounts/attributes.
Try making the changes i noted above, if that doesn't help include the
output of 'radiusd -X' when you try logging on with one of your clients.
--
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
